How to enable RBL checks for Postfix
First, you want a local DNS resolver for RBL query, since most public DNS servers (such as google's) were blocked by multi-RBL providers.
Just install unbound as local resolver:
$ sudo apt install unbound
Then, edit '/etc/resolv.conf' to update your nameserver to 127.0.0.1 only.
The next, test if unbound is working correctly or not, by implementing the following query.
$ dig 188.8.131.52.zen.spamhaus.org
If you see the results include:
;; ANSWER SECTION:
184.108.40.206.zen.spamhaus.org. 768 IN A 127.0.0.4
220.127.116.11.zen.spamhaus.org. 768 IN A 127.0.0.11
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Apr 30 08:14:42 HKT 2023
;; MSG SIZE rcvd: 93
That should be OK at this time (04/10/2023).
If the result is NXDOMAIN, that seems your DNS resolver has some issues.
The next, let's enable postscreen as a SMTP proxy for smtpd. Edit the file '/etc/postfix/master.cf' to comment out this line:
#smtp inet n - y - - smtpd
This disables smtpd service.
And enable the following four lines:
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
They enable postscreen as SMTP proxy, and two plugins DNS blocking and TLS proxy.
Now, let's edit file '/etc/postfix/main.cf' and add these lines:
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2
Here '/etc/postfix/postscreen_access.cidr' is just the file where our own IPs should be put. For example, IP for you secondary MX. The content looks like below.
And, here we are using spamhaus as DNS RBL only. Spamhaus's weight is set to 2, DNSBL threshold is also 2. That means when client IP hits spamhaus, it will be disconnected.
Since we have changed DNS resolver and updated postfix configuration, it's better to restart related services.
$ sudo systemctl restart postfix dovecot opendkim
Now let's watch the logs, we will see the blocking results soon like follows.
Apr 30 08:27:16 mxin postfix/dnsblog: addr 18.104.22.168 listed by domain zen.spamhaus.org as 127.0.0.3
Apr 30 08:27:16 mxin postfix/dnsblog: addr 22.214.171.124 listed by domain zen.spamhaus.org as 127.0.0.11
Apr 30 08:27:16 mxin postfix/dnsblog: addr 126.96.36.199 listed by domain zen.spamhaus.org as 127.0.0.4
Apr 30 08:27:16 mxin postfix/postscreen: DNSBL rank 2 for [188.8.131.52]:49837
Apr 30 08:27:22 mxin postfix/tlsproxy: TLS handshake failed for service=smtpd peer=[184.108.40.206]:65458
Apr 30 08:27:22 mxin postfix/tlsproxy: DISCONNECT [220.127.116.11]:65458
As you see this IP 18.104.22.168 who hits spamhaus was blocked by postscreen.
The last, if you have other DNSBL checks like follows,
Please comment them out:
# reject_rbl_client zen.spamhaus.org,
# reject_rbl_client bl.spamcop.net
It should not make both smtpd and postscreen to double check DNSBLs.
Here is the docs for postscreen you should read carefully.